What is BlueKeep and how to protect yourself from it

In the modern age of technology, new security threats arrive daily, but most don’t see the day of light in the public discussion. Every now and then, however, an exceptionally devastating threat makes the news, usually when it is already too late. Such was the WannaCry ransomware outbreak in 2017 which affected hospitals, universities and telecommunication providers in more than 150 countries, causing over $300 million in estimated damages. Now, a new threat has popped up, named BlueKeep or CVE-2019-0708.

It is a software vulnerability affecting older versions of Microsoft Windows through its own Remote Desktop Protocol (RDP). It occurs when an unauthenticated attacker connects to the target system using RDP and sends specifically crafted requests. Unfortunately, this is done pre-authentication thus requiring no user interaction. A successful execution allows the attacker to install programs; view, change or delete data; or create new accounts with full user rights.

This vulnerability exists in the following Microsoft Windows operating systems in both 32-bit and 64-bit versions:

Windows 2000

Windows XP

Windows Vista

Windows 7

Windows Server 2003

Windows Server 2003 R2

Windows Server 2008

Windows Server 2008 R2

As per Microsoft’s warnings, the BlueKeep vulnerability could cause a “wormable” cybersecurity outbreak that has the “ability to replicate and propagate, similar to Conficker and WannaCry”. In a recent Microsoft Security Blog the Detection and Response Team (DART) wrote: “We see more than 400,000 endpoints lacking any form of network level authentication, which puts each of these systems (are) potentially at risk from a worm-based weaponization of the BlueKeep vulnerability”.

If you are using a Windows version which is affected by BlueKeep, you should download and apply the patches Microsoft released addressing the vulnerability, however, these patches are only available for versions which are still supported by their lifecycle policy. They could be found on the MSRC portal along with some mitigations and workarounds. If you are not currently using RDP services, it is highly recommended to disable them, yet installing the security patch is still advised.